Operational Risk: Outsourcing

BIS has a white paper on outsourcing in the Financial Services Sector

Case study 4: OCC action against a bank and service provider

In 2002, the Office of the Comptroller of the Currency (OCC) in the USA took enforcement action against a Californian bank and a third-party service provider to the bank. The service provider originated, serviced, and collected certain loans booked by the bank in 18 states and the District of Columbia. Among other things, the service provider failed to safeguard customer loan files. The files, which represented loans carried on the books of the bank, were discarded in a trash dumpster in 2002.

The OCC alleged that the improper disposal of loan files resulted in violations of laws and regulations. The OCC also determined that the service provider committed unsafe and unsound practices that included a pattern of following the policies and procedures of the bank and a pattern of mismanagement of the bank's loan files. This case demonstrated the risks national banks expose themselves to when they rent out their charters to third-party vendors and fail to exercise sound oversight.
In the case of the bank, the OCC found that it failed to manage its relationship with the service provider in a safe and sound manner. In addition to violating the Equal Credit Opportunity Act and the Truth in Lending Act, the bank violated safety and soundness standards and also violated the privacy protections of the Gramm-Leach-Bliley Act, which sets standards for safeguarding and
maintaining the confidentiality of customer information. These violations and unsafe and unsound practices led to a cease and desist order against the bank. The order required the bank to pay civil money penalties and to terminate its relationship with
the service provider.

The service provider also paid a sum in penalties and was ordered to not enter into any agreement to provide services to a national bank or its subsidiaries without the approval of the OCC. To protect the privacy rights of consumers, the order also required the bank to notify all applicants whose loan files were lost. This notification was to advise the consumer of any steps they could taketo address potential identity theft.